How to get on the NSA/NIAP Product Compliant List (PCL)

Many vendors seeking to sell hardware or software to the U.S. Government, particularly to defense and intelligence agencies, will find that cyber security product certification is mandated by federal procurement requirements (CNSSP 11) for these environments. We know, because many of our clients come to us for this very reason – fast, efficient, low risk evaluations that ultimately end up on the National Information Assurance Partnership (NIAP) Product Compliant List (PCL).

NIAP, administered by the National Security Agency (NSA), state the following regarding the PCL:

The following products, evaluated and granted certificates by NIAP or under CCRA partnering schemes, comply with the requirements of the NIAP program and where applicable, the requirements of the Federal Information Processing Standard (FIPS) Cryptographic validation program(s). Products on the PCL are evaluated and accredited at licensed/approved evaluation facilities for conformance to the Common Criteria for IT Security Evaluation (ISO Standard 15408). U.S. Customers (designated approving authorities, authorizing officials, integrators, etc.) may treat these mutually-recognized evaluation results as complying with the Committee on National Security Systems Policy (CNSSP) 11, National Policy Governing the Acquisition of Information Assurance (IA) and IA-Enabled Information Technology Products – dated June 2013 (https://www.cnss.gov/CNSS/issuances/Policies.cfm).

Undertake evaluation with a Common Criteria Laboratory – to facilitate timely PCL listing, our experience has shown that it is preferable to use a ‘five-eyes’ (US, UK, Canada, Australia, New Zealand) based lab.

Unless you have a team of in-house certification experts, you’ll likely want to engage with experienced professionals who can guide you through each step. Contact us today to find out how our Greenlight automation platform and highly experienced team can accelerate your NIAP PCL certification.